"Panda Stealer Targets Crypto Wallets"

A new information stealer called Panda Stealer is going after cryptocurrency wallets and credentials for applications including NordVPN, Telegram, Discord, and Steam.  Panda Stealer uses spam emails and the same hard-to-detect fileless distribution method deployed by a recent Phobos ransomware campaign discovered by researchers at Morphisec.  The attack campaign primarily targets users in Australia, Germany, Japan, and the United States.  Trend Micro discovered Panda Stealer at the start of April. Threat researchers have identified two infection chains being used by the campaign.  In one, an .XLSM attachment contains macros that download a loader. Then, the loader downloads and executes the main stealer. The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command to access paste.ee, a Pastebin alternative that accesses a second encrypted PowerShell command.  Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim's various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum.  Other cards up Panda's sleeve are the ability to take screenshots of the infected computer and the power to exfiltrate data from browsers, like cookies, passwords, and cards.

Infosecurity reports: "Panda Stealer Targets Crypto Wallets"